AWS setup guide

Connect AWS billing data without giving CloudCostIQ infrastructure access.

Create one dedicated IAM role with an external ID. CloudCostIQ uses that role to read Cost Explorer, billing, CUR metadata, and account context for recurring savings reviews.

Step 1

Open IAM roles

In AWS Console, open IAM, then Roles, then Create role.

Start from IAM roles, not users or access keys.
AWS Console / IAM / Roles
1Roles
2Create role
3Trusted entity type
Step 2

Choose trusted entity

Select AWS account as the trusted entity. Use the CloudCostIQ AWS account ID shown in your dashboard connection form.

External ID must be required. This protects against confused-deputy access.
Trusted entity
1Trusted entity type: AWS account
2An AWS account: CloudCostIQ account ID
3Require external ID: enabled
Step 3

Attach billing read-only policy

Create or attach the CloudCostIQ billing policy shown below. It grants billing and Cost Explorer read access only.

Do not attach AdministratorAccess, PowerUserAccess, or infrastructure write policies.
Add permissions
1Cost Explorer read actions
2CUR report definition read
3Organizations account metadata read
Step 4

Name and create the role

Name the role CloudCostIQBillingReadOnly, review the trust relationship and policy, then create the role.

Copy the Role ARN after creation.
Role details
1Role name: CloudCostIQBillingReadOnly
2Trusted account: CloudCostIQ
3External ID condition: present
Step 5

Paste into CloudCostIQ

Return to CloudCostIQ, open Cloud Data, choose AWS, paste the Role ARN and External ID, then run Test, save, and backfill.

The first sync backfills recent daily billing evidence for the savings review.
CloudCostIQ / AWS billing access
1Role ARN
2External ID
3Test, save, and backfill
Trust policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{cloudcostiqAccountId}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "{externalIdFromCloudCostIQ}"
        }
      }
    }
  ]
}
Permission policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudCostIQBillingReadOnly",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetDimensionValues",
        "ce:GetReservationCoverage",
        "ce:GetReservationPurchaseRecommendation",
        "ce:GetReservationUtilization",
        "ce:GetSavingsPlansCoverage",
        "ce:GetSavingsPlansPurchaseRecommendation",
        "ce:GetSavingsPlansUtilization",
        "ce:GetTags",
        "cur:DescribeReportDefinitions",
        "organizations:DescribeAccount",
        "organizations:ListAccounts"
      ],
      "Resource": "*"
    }
  ]
}

Common failures

  • External ID was not required in the trust policy.
  • The role ARN was copied from the wrong AWS account.
  • Cost Explorer is not enabled or has not populated billing data yet.
  • The role has IAM trust but not the billing read policy.

Official references